These Hackers Reveal How Easy It Is To Hack US Voting Machines

Security
I cover crime, privacy and security in digital and physical forms.

The U.S. voting system, a loosely regulated, locally managed patchwork of more than 3,000 jurisdictions overseen by the states, employs more than two dozen types of machinery from 15 manufacturers. Elections officials across the nation say they take great care to secure their machines from tampering. (AP Photo/Mary Altaffer)

In a muggy little room in the far corner of Caesar's Palace, wide-eyed and almost audibly buzzing is Carsten Schurmann. The German-born hacker has just broken into a U.S. voting machine with his Apple Mac in a matter of minutes. He can turn it on and off, he can read all the information stored within and if he felt like it, he could probably change some votes if the system was in use. "This is insane," he says.

But today, that machine is not in use, it's being opened up for anyone to try what Schurmann did. A host of technically-minded folk have gathered at DEF CON's Voting Machine Village, where they're tinkering with more than 25 commonly used systems used across American elections. They might just save the next election from Russian hackers.

Those machines are, co-organizer Matt Blaze says, horribly insecure. Blaze's hope is the public will be made aware of their many, many flaws, and demand elections be protected from outside, illegal interference, following the much-documented attempts by Russia to install Donald Trump as president.

"One of the things we want to drive home is that these things are ultimately software-based systems and we know software-based systems have vulnerabilities, that just comes with the territory," Blaze tells Forbes. Blaze has previously highlighted serious weaknesses in machines.

"We want to make the problems public, so they can be fixed, so the public will know what the problems are and will be able to demand their systems be improved. Anything that helps informs the public qualifies as good faith here.

"The stakeholders for voting machines are everyone in the country. So it's important the problems get fixed."

How to hack a voting machine

An excited Shurmann, whose day job is at the IT University of Copenhagen, is showing Forbes exactly how he took control of the WINVote machine, a system that has, admittedly, long been removed from use in real elections due to its vulnerability.

The attack is remarkably simple-looking, even to non-technical eyes. First, he finds the Wi-Fi access point in the device, normally used to hook up to other systems on an election network. Using a tool called Wireshark, he was then able to grab the IP address of the device. Knowing that it ran an ancient version of Microsoft Windows, Schurmann ran a hacking tool called Metasploit, which exploited an old vulnerability that was never patched on the machine. And that was it: he had enough access to alter records.

What made the attack particularly worrisome was that it was possible wirelessly. "You don't even need to get up for this to work," he tells Forbes, noting that he had previously practiced the attack ahead of time . "Now we can really change things as we're the admin."

With luck, Schurmann's finds, alongside the other hacks inevitably going down in this diminutive space will cause regulators to take note. According to Barbara Simmons, president at Verified Voting, it should be straightforward to make elections considerably safer. "We need paper ballots and post-election audits.

If we can get this nationwide, we will be safe from hacks on the voting technology itself."

As former FBI director James Comey said, the digital spies who attempted to sway the 2016 vote will return. They'll be back for the mid-terms in 2018 and they'll be around causing trouble in 2020. The sooner these hackers' voices are heard, the less likely America's democracy will die.